Disclaimer

The views expressed in this blog are my own and do not necessarily reflect the views of Oracle Corporation. All content is provided on an 'as is' basis, without warranties or conditions of any kind, either express or implied, including, without limitation, any warranties or conditions of title, non-infringement, merchantability, or fitness for a particular purpose. You are solely responsible for determining the appropriateness of using or redistributing and assume any risks.

By Joel Nation

Tag: OSB

So you’ve followed Oracle’s lead and started implementing REST services in Oracle Service Bus. But you very quickly run into a problem, how do I get my webpages to access these services via Ajax when they are hosted on different domains (or ports). This is generally forbidden in most browsers (as it violates the ‘same origin policy’, ie: you can only access resources in the same domain as you). The most common recommendation to resolve this issue is to enable CORS (Cross Origin Resource Sharing). Basically you just set a header in the response from the remote service that lists the domains that are allowed to request from this resource. If the web page is in that list the browser will allow the resource to be accessed.

Getting this to work in OSB is actually pretty easy and will mean that your OSB services don’t have to be on the same domain as your web pages. Read on to find out how.

Another customer success story and another amazing cake! Yesterday we celebrated the launch of the Document Verification Service at ComSuper. This was the first service delivered on ComSuper’s new Oracle Service Bus platform and is hopefully the first of many.

The DVS is managed by the Attorney-General’s Department and is one of the key initiatives of the Council of Australian Governments’ National Identity Security Strategy. ComSuper checks the information on identity credentials against the records of the issuing agency in real time to inform decisions that rely upon the confirmation of a person’s identity and is a key tool to eliminate use of fraudulent identities.

So by now you’ve seen how to install Label Security (here), configure a policy (here) and create a UI to access the data (here). Particularly in the UI post, you would have seen how Label Security helps to simplify our application development, as we no longer have to worry about configuring data security, the database takes care of it for us. Whilst a UI is a great way to access our data and demonstrates a common use case, it’s not the only way to access our data. So in this post we are going to demonstrate how to create a web service that will talk to our database and return the correct documents for each user.

If we weren’t using Label Security, we’d have to add some significant logic to poll the database for the security permissions of the user (ie: JCooper has Top Secret access, but CDoyle can only see Secret Narcotics documents). We’d then need to apply that to our query to return the documents. Whilst this will work, what happens if the developer writes the query incorrectly and some users start seeing documents they shouldn’t? Or what happens if the service is compromised and a hacker gets access to the underlying database using the application database credentials. This poses a significant risk to our organisation and it’s data security. With Label Security we can avoid all this as the service just has to query the database and pass down the user credentials. The database will take care of the rest, there is no opportunity for the developer to mess up the query or if the user account is compromised only the documents that user had access to will be affected.

I’ve uploaded the OSB project that we will create below to GitHub. You can access it here: https://github.com/Joelith/SecureOSB. To get it working, import the project into JDeveloper and configure the database source in WebLogic (detailed below). Otherwise read on to see how it’s all put together

Let’s say you have a SOAP service provided by a third-party that is very complex, ie: the BPM SOAP service from Oracle that allows you access to the task list for users. You’d like to convert this complex request into a simpler service that removes all the unnecessary parameters and simplifies the output. This is particularly useful if you are servicing mobile applications as you don’t want to burden them with unnecessary options when calling your service. You could also use this as an option to convert the SOAP structure into a REST one (but that’s an article for another day).

With that in mind, let’s create a rudimentary web service to call the BPM SOAP service. As an added bonus will do it in the newly released OSB 12c through JDeveloper. I’m going to use the queryTasks operation provided by the WSDL, but I only want to the end-user to send me the username and password details and I’ll return just the task titles and ids.

Note: You shouldn’t pass the username and password in this manner as the details will be sent in the clear with no encryption. You should use a security policy on the WSDL to control access instead (we covered that in a previous post). But for simplicity sake let’s continue.

So far we’ve seen the basics of WLST and created an OSB domain. The final step is to deploy an application using WLST. Normally in WLST you use the deployApplication method, but for OSB we have to do a little bit more.

The contents of this post were be discussed at the Oracle Middleware Forum in Canberra. These are hosted every month and are a great opportunity to skill up in middleware and to meet fellow middleware-enthusiasts in Canberra.

One of the main use cases of WLST is to automate the creation of your domains. Using WLST you can add all the configuration you need for your domain and ensure that it will be created exactly the same each time you build it (as opposed to relying on your infrastructure team member to remember to configure everything through the weblogic console). Also, you can add your WLST script into your version control repository to ensure that all changes are tracked and that everyone can always have the most up-to-date configuration.

To give you an idea of how to create a domain in WLST let’s create a simple OSB domain. We’ve created a script ‘osb_domain.py’ that will create the domain and configure the JDBC data sources (among other things). This will create a fully working OSB domain for us to work with. In our next post we will create a WLST script to start up this domain, but for the time being we can start it the old fashioned way (./startWebLogic.sh)

Recently a customer wanted to use OSB to connect to an external service that had a special policy that required a security token passed in the header. The security information for this token was a static username and password combination supplied to the organisation. They wanted to be able to connect to this service without requiring each calling service to know the security information.

To do this we needed to create a Business Service in OSB that applied this custom policy.